Deployment using Kubernetes
This section describes how to deploy ADS using Kubernetes (K8s).
You can install K8s in one of the following ways:
🖥️ Local installation using minikube.
☁️ Cloud installation using EKS by Amazon Web Services (AWS).
The following describes a suggested approach for Kubernetes deployment. However, you are encouraged to customize your deployment to align with your specific system configuration taking into account potential security concerns and other relevant considerations.
Requirements
- Local installation
- Cloud installation
To run ADS locally on a K8s minikube environment, install:
Kubernetes and kubectl
The open-source system for automating deployment, scaling, and management of containerized applications along with its command line tool.
Local K8s for macOS, Linux, and Windows.
The official command line interface to manage AWS services.
The package manager for K8s.
The open platform to package and run applications in isolated containers along with the tool for defining and running multi-container Docker applications.
To run ADS on a K8s cloud AWS environment using Amazon EKS, install:
The official command line tool for communicating with a K8s cluster.
The package manager for K8s.
The official command line interface to manage AWS services.
Docker and Docker Compose
The open platform to package and run applications in isolated containers along with the tool for defining and running multi-container Docker applications.
A CLI tool for creating and managing clusters on Amazon EKS.
Preparation
Access Decision Service is downloaded via AWS CLI. If you have not already done so, install AWS CLI following the instructions in AWS documentation.
Configure the Axiomatics AWS CLI account
Configure the AWS CLI account using the aws configure
command, as explained in AWS documentation. This procedure requires an Access key ID and a Secret access key, which will have been provided to you by Axiomatics.
Download the ADS distribution
The ADS distribution is downloaded as a ZIP file, containing a pre-configured Docker-based installation. Run the following command in the terminal to download ADS:
aws s3api get-object --bucket axiomatics-customer-artifacts --key releases/com/axiomatics/access-decision-service/access-decision-service/1.11.0-0/access-decision-service-1.11.0-0.zip access-decision-service-1.11.0-0.zip
Extract the ADS distribution .zip
file to the folder from where you want to run ADS.
Docker registry
The Docker registry is a server side application that stores and lets you distribute Docker images. Axiomatics recommends working with a remote registry both for local and cloud installations. However, for local installations only, if a remote registry cannot be supported by your specific setup, then you can deploy a local registry server.
Follow the steps below according to your specific setup:
Create the truststore
Get the SSL certificate of the gateway that was used for ASM to create the ADS
truststore.jks
.Create the
truststore.jks
from the.crt
file and add it to your docker image.noteFor the creation of the truststore file, convert the certificate file that you used during the installation of ASM.
Use the following command to convert the
.crt
file to.jks
:keytool -importcert -deststorepass changeit -keystore truststore.jks -file server.crt -alias 1 -noprompt -storetype JKS
Add the
truststore.jks
file to the ADSdocker/resources/
folder.
- Remote registry
- Local registry
Login to your Docker registry
Follow the steps below according to your specific setup:
In the snippet below replace
<region_code>
with the AWS Region that you want to create your cluster in<aws_account_id>
with your AWS account ID
Log in to your Amazon ECR registry.
aws ecr get-login-password --region <region_code> | docker login --username AWS --password-stdin <aws_account_id>.dkr.ecr.<region_code>.amazonaws.com
Create the following repositories in your ECR registry:
axiomatics/ads
In the snippets below replace<hostname>
with your own hostname. In case you do not have a hostname and you are working with localhost
, add the special domain host.docker.internal
.
Create a directory.
mkdir certs
Create a self-signed certificate.
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout certs/registry.key -out certs/registry.crt -subj "/CN=<hostname>" -addext "subjectAltName=DNS:<hostname>"
Add the certificate to Docker trusted certificates. Based on your OS:
Windows:
Install the
registry.crt
certificate on your Local machine in the Trusted Root Certification Authorities.macOS and Linux:
Create the certificates directory, if it doesn't exist already.
sudo mkdir -p /etc/docker/certs.d/<hostname>:5000
Copy the generated certificate to the Docker certificates directory.
sudo cp certs/registry.crt /etc/docker/certs.d/<hostname>:5000/ca.crt
Restart Docker and minikube.
Start the local registry.
docker run -d -p 5000:5000 --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt -e REGISTRY_HTTP_TLS_KEY=/certs/registry.key registry:2
Create a PEM file and copy it to the Minikube configurations directory.
openssl x509 -in certs/registry.crt -out certs/registry.pem -outform PEM
cp certs/registry.pem ~/.minikube/certs
Build the Docker images
Navigate to the ADS
docker
folder of the extracted distribution.Edit the
credentials.txt
file by updating the placeholder values for Access key ID and Secret access key with the values provided by Axiomatics.noteThese are the same values that were used in setting up AWS CLI.
Copy a valid PDP license file to the
docker
directory.noteThis file is provided separately by Axiomatics.
To add one or more Attribute Connectors download the respective
jar
files and navigate toresources/lib/
. Place them under thelib
folder as shown in the structure tree below:├─ lib/
├─ <attribute-connector-1>.jar
├─ <attribute-connector-2>.jarAdditional files, such as JDBC drivers (should they be necessary), must be also added under the
lib
folder, in the same way as Attribute Connectors.For updating one or more existing Attribute Connector(s), refer to section Update Attribute Connector(s) for Kubernetes deployment.
- Remote registry
- Local registry
Run the following command to build ADS.
docker build --build-arg AWS_BUCKET=axiomatics-customer-artifacts --build-arg AWS_REPO=releases --build-arg ADS_VERSION=1.11.0 . -f Dockerfile -t <aws_account_id>.dkr.ecr.<region>.amazonaws.com/axiomatics/ads:1.11.0
Run the following command to push the image to your registry.
docker push <aws_account_id>.dkr.ecr.<region>.amazonaws.com/axiomatics/ads:1.11.0
Run the following command to build ADS.
docker build --build-arg AWS_BUCKET=axiomatics-customer-artifacts --build-arg AWS_REPO=releases --build-arg ADS_VERSION=1.11.0 . -f Dockerfile -t localhost:5000/ads:1.11.0
Run the following command to push the image to your registry.
docker push localhost:5000/ads:1.11.0
Replace the version placeholders with the most recent available distribution.
Setup
This section describes how to deploy Kubernetes with ADS.
You can install Kubernetes with ADS in one of the following ways:
- Local installation using minikube.
- Cloud installation using EKS from AWS.
Follow the steps below according to your specific setup:
Installation procedure
- Local installation
- Cloud installation
Navigate to the
kubernetes
directory.Add the
axiomatics_PDP.license
license file and launch a terminal window in this directory.If minikube is not already running follow the commands below to start minikube.
Start minikube:
minikube start
After minikube has started, launch a new terminal window and create a tunnel.
minikube tunnel
ImportantThis terminal window should remain open during the K8s installation.
On the initial terminal window, create the ADS namespace.
kubectl create namespace axiomatics-ads
Navigate to the
kubernetes
directory.Add the
axiomatics_PDP.license
license file and launch a terminal window in this directory.Create the namespace.
kubectl create ns axiomatics-ads
Create secrets
Create a secret for the Keycloak client. Use your own client id and secret, which can be found on the Keycloak dashboard.
kubectl create secret generic ads-adm-access-secret \
--from-literal=client-id=<client_id> \
--from-literal=client-secret=<secret> \
--from-literal=client-token-uri=https://<asm_hostname>/auth/realms/asm/protocol/openid-connect/token \
--namespace=axiomatics-adsnoteIn case of local installation
<asm_hostname>
=host.docker.internal
For more information on how to use Keycloak with ADS, please refer to Configure Keycloak for ADS.
Create a secret for pulling from ECR.
ImportantThis applies only to installations using a remote Docker registry.
kubectl create secret docker-registry regcred \
--docker-server=<aws_account_id>.dkr.ecr.<region_code>.amazonaws.com \
--docker-username=AWS --docker-password=$(aws ecr get-login-password --region=<region_code>) \
--namespace=axiomatics-adsCreate an ADS License secret.
kubectl create secret generic ads-license \
--from-file=axiomatics_PDP.license \
--namespace axiomatics-adsCreate a secret for the ADS PEP credentials:
kubectl create secret generic ads-pep-client-login --from-literal=username=ads-user --from-literal=password=2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b --namespace=axiomatics-ads
noteThe default password is
secret
encrypted in SHA256 hash.You can change your password with the following command:
echo -n yourPassword | sha256sum
- Local installation
- Cloud installation
Final steps
Navigate to the
kubernetes
directory and install ADS using Helm.helm install -n axiomatics-ads ads -f adscharts/values.yaml adscharts --set imageRegistry=<your_image_registry> --set adsHostname=<your_hostname> --set asmHostname=<your_asm_hostname> --set admDomainName=<your_adm_domain_name> --set asmProjectName=<your_asm_project_name> --set ads.metrics.enabled=true
ImportantIn the command above, replace the placeholders with your own values. For details, see the table below.
Parameter Value Description imageRegistry
<your_image_registry> The remote image registry. For example, the ECR IP <aws_account_id>.dkr.ecr.<region_code>.amazonaws.com/axiomatics/
adsHostname
<your_hostname> The hostname you use. asmHostname
<your_asm_hostname> The hostname of your ASM.
For local installation, usehost.docker.internal
.asmProjectName
<your_asm_project_name> The name of your ASM project. admDomainName
<your_adm_domain_name> The domain name of ADM. ads.metrics.enabled
true or false Set this parameter to true
if you want to send metrics to the ASM Dashboard.
The default value isfalse
.List all pods and make sure they are all running.
kubectl get all -n axiomatics-ads
Final steps
Navigate to the
kubernetes
directory and install ADS using Helm.helm install -n axiomatics-ads ads -f adscharts/values.yaml adscharts --set imageRegistry=<your_image_registry> --set adsHostname=<your_hostname> --set asmHostname=<your_asm_hostname> --set ads.service.type=ClusterIP --set certificateArn=<certificate_arn> --set isAwsInstallation=true --set admDomainName=<your_adm_domain_name> --set asmProjectName=<your_asm_project_name> --set ads.metrics.enabled=true
ImportantIn the command above, replace the placeholders with your own values. For details, see the table below.
Parameter Value Description imageRegistry
<your_image_registry> The remote image registry. For example, the ECR IP <aws_account_id>.dkr.ecr.<region_code>.amazonaws.com/axiomatics/
adsHostname
<your_hostname> The hostname you use. asmHostname
<your_asm_hostname> The hostname of your ASM.
For local installation, usehost.docker.internal
.asmProjectName
<your_asm_project_name> The name of your ASM project.
The default value issystem
.admDomainName
<your_adm_domain_name> The domain name of ADM.
The default value issystem
.certificateArn
<certificate_arn> The ARN specifying the server SSL certificate that you have configured on AWS ACM. This is going to be used by the load balance. ads.metrics.enabled
true or false Set this parameter to true
if you want to send metrics to the ASM Dashboard.
The default value isfalse
.List all pods and make sure they are all running.
kubectl get all -n axiomatics-ads
Troubleshooting
Extra commands that can assist your troubleshooting efforts.
In the snippets below replace
<region-code>
with your cluster's AWS Region<aws_account_id>
with your AWS account ID
Minikube with -p/--profile
The name of the minikube VM being used to allow having multiple instances of minikube independently.
minikube start -p axiocube
minikube tunnel -p axiocube
minikube stop -p axiocube
Image pull policy
If the pod already exists with the IfNotPresent
pull policy and has failed, restart it.
kubectl rollout restart deploy ads -n axiomatics-ads
Kubernetes statuses
ImageErrPull
If the job fails with ImageErrPull
because of an expired registry credentials secret
Delete secret.
kubectl delete secret regcred -n axiomatics-ads
Recreate it.
kubectl create secret docker-registry regcred --docker-server=<aws_account_id>.dkr.ecr.<region-code>.amazonaws.com --docker-username=AWS --docker-password=$(aws ecr get-login-password) --namespace=axiomatics-ads